CVE-2026-62963
Centrifugal · Centrifugo
Centrifugo is vulnerable to data amplification via improper handling of highly compressed data, allowing for potential denial of service.
Executive summary
Centrifugo versions prior to 6.8.4 are susceptible to a data amplification vulnerability that could lead to significant system resource exhaustion.
Vulnerability
This vulnerability involves CWE-409, which is the improper handling of highly compressed data. An unauthenticated attacker can send specially crafted compressed payloads to the server, resulting in resource amplification that can crash the service.
Business impact
The exploitation of this vulnerability can result in a denial of service for the Centrifugo real-time messaging server. Given the CVSS score of 8.7, this flaw poses a high risk to business continuity, as the server may become unresponsive to legitimate traffic, disrupting critical real-time communication channels within the organization.
Remediation
Immediate Action: Upgrade Centrifugo to version 6.8.4 or later to apply the necessary patches for compressed data handling.
Proactive Monitoring: Monitor system resource usage, specifically CPU and memory spikes, which may indicate attempts to exploit data amplification vulnerabilities.
Compensating Controls: Implement strict request size limits at the network edge or via a reverse proxy to mitigate the impact of abnormally large or highly compressed payloads.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability represents a significant stability risk to real-time messaging infrastructure. Administrators should prioritize the update to version 6.8.4 to ensure the server correctly sanitizes and processes compressed data, thereby closing the amplification vector.